1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# Run app_process. 9# XXX Transition into its own domain? 10app_domain(shell) 11 12# logd access 13read_logd(shell) 14control_logd(shell) 15 16# read files in /data/anr 17allow shell anr_data_file:dir r_dir_perms; 18allow shell anr_data_file:file r_file_perms; 19 20# Access /data/local/tmp. 21allow shell shell_data_file:dir create_dir_perms; 22allow shell shell_data_file:file create_file_perms; 23allow shell shell_data_file:file rx_file_perms; 24allow shell shell_data_file:lnk_file create_file_perms; 25 26# adb bugreport 27unix_socket_connect(shell, dumpstate, dumpstate) 28 29allow shell devpts:chr_file rw_file_perms; 30allow shell tty_device:chr_file rw_file_perms; 31allow shell console_device:chr_file rw_file_perms; 32allow shell input_device:dir r_dir_perms; 33allow shell input_device:chr_file rw_file_perms; 34allow shell system_file:file x_file_perms; 35allow shell shell_exec:file rx_file_perms; 36allow shell zygote_exec:file rx_file_perms; 37 38r_dir_file(shell, apk_data_file) 39 40# Set properties. 41unix_socket_connect(shell, property, init) 42allow shell shell_prop:property_service set; 43allow shell ctl_dumpstate_prop:property_service set; 44allow shell debug_prop:property_service set; 45allow shell powerctl_prop:property_service set; 46 47# systrace support - allow atrace to run 48# debugfs doesn't support labeling individual files, so we have 49# to grant read access to all of /sys/kernel/debug. 50# Directory read access and file write access is already granted 51# in domain.te. 52allow shell debugfs:file r_file_perms; 53 54# allow shell to run dmesg 55allow shell kernel:system syslog_read; 56